At the risk of posting a blog entry that's nothing but links to other resources and commentary, several friends of the Proofpoint blog pointed out this article—about San Francisco area security startup eCert and the introduction of their "eCert Email Domain eCertification Service"—as something I might want to comment on:
Wall Street Journal "Digits" Blog: Startup Hopes to Stop Phishing with Certified Email
In that article, Ben Worthen describes eCert's efforts to stop phishing and targeted attacks with a service that, "confirms that an email is from the company it says it's from." The timing for this article coincides with eCert's introduction of a new service (see press release "eCert Partners With Google and Yahoo! to Protect Businesses and Consumers From Email Fraud").
Regular email security blog readers will no doubt say that this sounds like yet another email authentication idea and wonder if this is some sort of new approach or if it builds on other existing email authentication schemes such as SPF and DKIM. Certainly, there's a great need to help reduce the impact of phishing activites (especially as targeted phishing - aka spear phishing - attacks have become so prevalent).
(Here come more links: You can find my recent blog postings related to phishing here - http://blog.proofpoint.com/phishing/ - and, particularly relevant is the post Spear Phishing Experiment Shows Spoofed Social Media Email Bypasses Most Email Filters.)
And, indeed, it looks like the service that eCert has announced is aimed at helping financial institutions and other heavily phished organizations use existing email authentication mechanisms to best effect, even though that's not entirely obvious from their press release. From their press release:
"The eCert Email Domain eCertification Service is a centralized service to register, manage and monitor domains that send email. Three key features of eCert’s groundbreaking new service include: monitoring email traffic and threat activity, protecting member company emails against major forms of phishing, and ‘eCertification’ that enables advanced security, improved delivery and other important benefits, including delivery of critical data on email traffic activity and phishing attack alerts."
While one could be cynical about the commercialization of SPF/DKIM technologies, in practice, it can be very difficult for a large organization to properly configure SPF and/or DKIM, in part due to the large number of third parties who may, in fact, send legitimate email on behalf of that organization. So it makes sense for a company like eCert to provide an end-to-end service that takes care of all the minutia involved in email authentication.
And this brings me to what may be the most useful link in this post... In cooperation with BITS, eCert published a really good whitepaper on email authentication deployment that they make freely available. I haven't read this document in great detail, but it provides a really good overview of (1) what email authentication is and what it does, (2) what email authentication does not do, (3) basic info about how SPF and DKIM operate, (4) pre-deployment considerations for large organizations, and even a sample project plan.
Heck, they don't even require registration to download this paper. You can snag a copy at this link:
BITS/eCert whitepaper: Email Sender Authentication Deployment
While I was researching this post, I also ran across some pretty amusing commentary from the unknown blogger at "What The Hell? Security", which is a very interesting and opinionated security blog.
Two relevant posts there. First, a post inspired by reading eCert's announcement, "fishing for red herring phishing solutions," and second, a thought-provoking post about "the 9 laws of phishing."
The "9 laws" is especially worth reading, I think, and probably deserves its own post here in the Email Security Blog at a later time. But right now, I have to get back to not clicking on bad links.